简易沙箱原理 ——Placing Restrictions on a Job's Processes
Placing Restrictions on a Job's Processes
After creating a job, you will typically want to set up the sandbox (set restrictions) on what processes within the job can do. You can place several different types of restrictions on a job:
-
The basic limit and extended basic limit prevent processes within a job from monopolizing the system's resources.
-
Basic UI restrictions prevent processes within a job from altering the user interface.
-
Security limits prevent processes within a job from accessing secure resources (files, registry subkeys, and so on).
You place restrictions on a job by calling the following:
BOOL SetInformationJobObject( HANDLE hJob, JOBOBJECTINFOCLASS JobObjectInformationClass, PVOID pJobObjectInformation, DWORD cbJobObjectInformationSize);
有些操作系统不能直接调用CreateJobObject的,需要从Kernel32.dll中导入:
//从动态链接库导出函数 CreateJobObject
HINSTANCE hInstance = ::LoadLibrary("Kernel32.dll"); //加载动态链接库
typedef HANDLE (__stdcall* funCreateJobObject)(LPSECURITY_ATTRIBUTES lpJobAttributes,LPCTSTR lpName) ;
funCreateJobObject CreateJobObject = (funCreateJobObject)GetProcAddress(hInstance,"CreateJobObjectA");
HANDLE hJob = CreateJobObject(NULL,"ProcessGroup");
::FreeLibrary(hInstance);
或者定义一个宏:
#define _WIN32_WINNT 0x0500
实例:
#define _WIN32_WINNT 0x0500 // 方法一
#include <windows.h>
#include <winbase.h>
#include <iostream.h>
#pragma comment(lib, "Kernel32.lib ")
void main()
{
/* Windows NT: Requires version 5.0 or later.
Windows: Unsupported.
Windows CE: Unsupported.
CreateJobObject
[This is preliminary documentation and subject to change.]
The CreateJobObject function creates a job object.
HANDLE CreateJobObject(
LPSECURITY_ATTRIBUTES lpJobAttributes,
LPCTSTR lpName
);
所以要使用 CreateJobObject等函数,必须在Windows NT 5.0或以上,
但是我们在Windows要想使用,就可以从动态链接库中导出
或者在开头定义 #define _WIN32_WINNT 0x0500
*/
//===============================================================================================================
/* // 方法二
HANDLE hJob;
HINSTANCE hInstance = ::LoadLibrary("Kernel32.dll"); //加载动态链接库
//从动态链接库导出函数 CreateJobObject
typedef HANDLE (__stdcall* funCreateJobObject)(LPSECURITY_ATTRIBUTES lpJobAttributes,LPCTSTR lpName) ;
funCreateJobObject CreateJobObject = (funCreateJobObject)GetProcAddress(hInstance,"CreateJobObjectA");
hJob = CreateJobObject(NULL,"ProcessGroup");
//从动态链接库导出函数 SetInformationJobObject
typedef BOOL (__stdcall * funSetInformationJobObject)(
HANDLE hJob, // handle to job
JOBOBJECTINFOCLASS JobObjectInfoClass, // information class
LPVOID lpJobObjectInfo, // limit information
DWORD cbJobObjectInfoLength // size of limit information
);
funSetInformationJobObject SetInformationJobObject =
(funSetInformationJobObject)GetProcAddress(hInstance,"SetInformationJobObjectA");
//从动态链接库导出函数 AssignProcessToJobObject
typedef BOOL (__stdcall *funAssignProcessToJobObject)(
HANDLE hJob, // handle to job
HANDLE hProcess // handle to process
);
funAssignProcessToJobObject AssignProcessToJobObject =
(funAssignProcessToJobObject)GetProcAddress(hInstance,"AssignProcessToJobObjectA");
typedef BOOL (__stdcall *funOpenJobObjectToken)(
HANDLE hJob,
ACCESS_MASK DesiredAccess,
HANDLE *phToken
);
funOpenJobObjectToken OpenJobObjectToken=(funOpenJobObjectToken)GetProcAddress(hInstance,"OpenJobObjectTokenA");
::FreeLibrary(hInstance);
*/
//===================================================================================================
HANDLE hJob=CreateJobObject(NULL,"Global\\My_Job_ago");
if(hJob==NULL)
{
cout<<"CreateJobObject Error !\nError Code is"<<GetLastError()<<endl;
}
JOBOBJECT_SECURITY_LIMIT_INFORMATION jobsec={0};
jobsec.SecurityLimitFlags =JOB_OBJECT_SECURITY_RESTRICTED_TOKEN;
jobsec.PrivilegesToDelete=NULL;
jobsec.RestrictedSids=NULL;
jobsec.SidsToDisable=NULL;
BOOL ret=SetInformationJobObject(hJob,
JobObjectSecurityLimitInformation, \
&jobsec, \
sizeof(JOBOBJECT_SECURITY_LIMIT_INFORMATION)); \
//===============================================================================================================
STARTUPINFO si={sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi={0};
BOOL bret=CreateProcess(NULL,"notepad test.txt",NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,π);
AssignProcessToJobObject(hJob,pi.hProcess);
Sleep(1000);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
WaitForSingleObject(pi.hProcess,INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(hJob);
}